Overview

overview

10

Static

static

3

JaffaCakes...53.exe

windows7-x64

7

JaffaCakes...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe

  • Size

    912KB

  • MD5

    9457b2cd1a08799db8940186c5f31f53

  • SHA1

    26c340f41fbac82e85a700a2fd02a66ad7118f24

  • SHA256

    f8382a87bb775e3292a331c9f8593f74f1ce79c779c6b9fc3b5880119e166f5c

  • SHA512

    b05f863884afca7940a163ce7658090e2cf10e906c2da1bb0ee262fb165086ac17c5429a2bf7bbd662f0693238e90f72af1edd7aaf46174184d8ca6c813a93ef

  • SSDEEP

    12288:Bsm6a+fi4vNVDEumHy9obTWAoCQNbo75lYzZ+IrlV/3oWoYAWgyMHC0L:Th+BvXuTbTWJNM7jYznj/PotAMi0L

Score
10/10
darkcometmr.rootdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Mr.root

C2

linuxer.no-ip.org:8080

linuxer.no-ip.org:80
Mutex

DC_MUTEX-5YS10D7

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    13Q0YE0nY4ol

  • install

    true

  • offline_keylogger

    true

  • password

    study!@#

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9457b2cd1a08799db8940186c5f31f53.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5136
    • C:\Users\Admin\AppData\Local\Temp\IDM.v6.xx.release.3-patch.exe
      "C:\Users\Admin\AppData\Local\Temp\IDM.v6.xx.release.3-patch.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5312
    • C:\Users\Admin\AppData\Local\Temp\dddd.exe
      "C:\Users\Admin\AppData\Local\Temp\dddd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5984
      • C:\Users\Admin\AppData\Local\Temp\dddd.exe
        C:\Users\Admin\AppData\Local\Temp\dddd.exe
        3⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5332
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\dddd.exe" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\dddd.exe" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4724
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4356
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          "C:\Windows\system32\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5900
          • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
            C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5020
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5572
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x500 0x4b0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4000
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\MSDCSC\msdcsc.exe
    1⤵
      PID:4088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IDM.v6.xx.release.3-patch.exe
      Filesize

      622KB

      MD5

      02106a846c69468db29f2137203857e0

      SHA1

      b028922f390c56f5848be3ff3d3507f5c07f87b5

      SHA256

      e1ff2ecf46db4b9fde9b061cdd0c055dbca2755dc0500bf6c7d1a3284cb46d35

      SHA512

      5595b966db8ecc354c0be847ce46430baf8f124e1048b2506293d30ab5201828a2c9ab93be8888d13113fff60ef830d68914762f8ab24d64cd17043ba9be18f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bassmod.dll
      Filesize

      33KB

      MD5

      e4ec57e8508c5c4040383ebe6d367928

      SHA1

      b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

      SHA256

      8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

      SHA512

      77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dddd.exe
      Filesize

      284KB

      MD5

      2c00fe9368bbed106937fc627dbe5dd2

      SHA1

      d38394ed6228d02a12a4789a698b2011b8218ff6

      SHA256

      5c6dba7fdef39e82756a2aafa05a6587892b85c32cd00c0d78e8a626d04fcf68

      SHA512

      b67e59e1eee862c1d052a07bb0c032ab389426bac37dd4b4ad1ceb74e560fd7309847a4dba75bcff2e4fe680071d910bc5db6143b6bd89a4fae24a967eae77b9

      Download Submit

    • memory/5020-126-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-99-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-141-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-138-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-135-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-132-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-129-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-108-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-97-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-144-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-100-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-123-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-120-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-117-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-114-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-147-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-111-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5020-107-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5312-113-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-128-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-105-0x0000000000400000-0x0000000000573000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5312-106-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-104-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-116-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-103-0x00000000001E0000-0x00000000001E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/5312-119-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-12-0x00000000001E0000-0x00000000001E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/5312-122-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-146-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-125-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-11-0x0000000000400000-0x0000000000573000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5312-110-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-143-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-131-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-25-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-134-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-140-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5312-137-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5332-28-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5332-30-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5332-31-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5332-32-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5332-26-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5332-101-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/5572-98-0x0000000000430000-0x0000000000431000-memory.dmp

      Filesize

      4KB

      Download